SURF tracks several things while in use. The user actions in SURF, the SDU/CTRs opened, and the Detections hit on any files. All this data is hashed, encrypted in transit, and no Personal Identifiable Information (PII) is collected. Every user and SDU/CTR is given a unique hash and that is the only data transmitted to Sophos.
However, for Sophos TSEs, your internal username is transmitted with your telemetry data for KPIs.